Pivoting and Port Forwarding using Metasploit

The main purpose of port forwarding while performing a penetration test is to help us reach a specific port on a system that doesn’t exist on the same network.In order to understand this better let’s assume that we have compromised a system which belongs to a network range of 192.168.31.0/24.This network is the that we managed to gain access.

Attackers IP 192.168.31.20 – KAlI LINUX

Pivoting IP 192.168.31.2 – WINDOWS 7

Targeted IP 10.10.10.3 – WINDOWS XP

In this scenario the pivoting system has two interface of 192.168.31.2 and 10.10.10.2, we going to exploit the target machine in the network range 10.10.10./24 with our Attackers ip of 192.168.31.20 using the compromised pivoting machine 192.168.31.2.

All we have to do is to set up a local listener to our machine that would communicate with the meterpreter session that we have opened from the compromised system.This meterpreter session will actually forward the port to the machine that is running the service and is not accessible directly from our system.

Let’s say that we have successfully exploited the system through a vulnerability and we have opened a meterpreter session.The first thing that we have to do is to use the route command in order to be able to communicate with the internal network (private) through the compromised machine.The 10.10.10.2 is the private IP of the system that we have exploited.

#meterpreter > ifconfig

It will list interface with ipaddress range this machine belongs too.

Then run arp_scanner to scan ipaddress range that compromised machine belong too.

#meterpreter > run arp_scanner -r 10.10.10.0/24

It will list the machine with ipaddress in this above range.

Then “route” command in Metasploit allows you to route sockets through a session or ‘comm’, providing basic pivoting capabilities. To add a route, you pass the target subnet and network mask followed by the session (comm) number.

#meterpreter > route add 10.10.10.0 255.255.255.0 1

Then background the session and we can reach the internal network through the compromised system we can use the TCP scanner of metasploit framework in order to discover any open ports on the remote target.

#msf > use auxiliary/scanner/portscan/tcp

#msf > set RHOSTS 10.10.10.3

#msf > set PORTS 1-5000

#msf > run

Then portfwd command from within the Meterpreter shell is most commonly used as a pivoting technique. Allowing direct access to machines otherwise inaccessible from the attacking system. Running this command on a compromised host with access to both the attacker and destination network (or system), we can essentially forward TCP connections through this machine. Effectively making it a pivot point. Much like the port forwarding technique used with an ssh connection, portfwd will relay TCP connections to and from the connected machines.

From an active Meterpreter session, typing portfwd -h will display the command’s various options and arguments.

From the Meterpreter shell the command is used in the following manner:

#meterpreter > portfwd add -l 3389 -p 3389 -r 10.10.10.3

“add” will add the port forwarding to the list, and will essentially create a tunnel for us. Please note, this tunnel will also exist outside the Metasploit console. Making it available to any terminal session.

“-l 3389” is the local port that will be listening and forwarded to our target.This can be any port on your machine, as long as it’s not already being used.

“-p 3389” is the destination port on our targeting host.

“-r 10.10.10.3” is the our targeted system’s IP or hostname.

This argument needs no options and provides us with a list of currently listening and forwarded ports.

#meterpreter > portfwd list

In this example, we will open a port on our local machine and have our meterpreter session forward a connection to our victim on that same port. We’ll be using port 3389, which is the Window’s default port for Remote Desktop connections.

We verify that port 3389 is listening by issuing the “netstat” command from another terminal.

From here we can initiate a remote desktop connection to our local 3389 port. Which will be forwarded to our victim machine on the corresponding port.

Another example of “portfwd” usage is using it to forward exploit modules such as “MS08-067”.Using the same technique as show previously, it’s just a matter of forwarding the correct ports for the desired exploit.

Here we forwarded port 445, which is the port associated with Window’s Small Message Block or SMB. Configuring our module target host and port to our forwarded socket. The exploit is sent via our pivot to the victim machine.

The same method can be implemented and for any other service that we want to reach (SSH,Telnet,FTP etc..